The document discusses using proxy ARP to allow multiple containers and VMs to share a single network interface on the host machine. It notes some limitations of alternative approaches like Linux bridges, Open vSwitch, and MACVLAN. It also describes some issues with proxy ARP like stealing MAC addresses and requiring static routing. The proposed solution is to use arptables to selectively allow ARP requests from specific IP addresses to prevent MAC address conflicts while enabling network access for containers and VMs.
10. Why not use OpenVswitch, brctl or even MACVLAN
● Linux bridge is limited to around 200Mbit/s
● OpenVswitch eats a lot of RAM and CPU. When
you receive DDoS your whole system goes down
● both OpenVswitch and MACVLAN do not allow
you to use iptables/ebtables and leak broadcasts
11. proxy_arp issues
● stealing MACs of neighboring machines
– arptables helps with that
– static ARP entries speedup the responses and also
help with the security
● requires static routing for each container/VM
– but you can solve that with BIRD
● gratuitous and unsolicited ARP requests simply
don't work
– that is why I wrote arpsniff:
https://github.com/Kyup-com/arpsniff
12. # arping -I eth0 -U 192.168.0.10
does not work :(
# arping -I eth0 -A 192.168.0.10
does not work :(
13. Solution - arp stealing
# arptables -P OUT DROP
# arptables -I OUT -j ACCEPT -o eth0
-z XX:XX:XX.. -s 192.168.0.100
# arptables -I OUT -j ACCEPT -o eth0
-z XX:XX:XX.. -s 192.168.0.10
# arptables -I OUT -j ACCEPT -o veth0